Important notice!

Due to an unfortunate rsync backup mixup, I accidentally removed all code (and source control history) of this project. Oops.

Overview

What is a chaining proxy server?

Proxy chaining allows indirect connections to web sites and remote ports that may be otherwise be blocked by an intermediate proxy server.

Why would you use a chaining proxy server?

You may be required to access the internet though an intermediate proxy server. If this is the case;

Some programs may not be setup to run through a proxy server, such as email, chat programs, etc. The janus proxy server can create a tunnel through the proxy server, so while your local program (eg: email client) thinks it is connecting directly to a given server, it is actually being routed through several proxies. For example, you could tunnel all traffic from a local port (eg: 128, or pop3) to a remote port (eg: your isp's email server).
Your proxy server censors what you read on the internet, blocking (for example) webmail, political, or social websites. The janus proxy server can tunnel through an intermediate proxy server which will serve those websites, working around the block.
Your proxy server doesn't allow connection to certain ports, for example, chat programs or ftp. The janus proxy server can attempt to find intermediate proxies capable of connecting to these blocked ports, allowing the use of these programs.

You may want to try to make an anonymous connection to a server. If this is the case;

Connecting to a server through an anonymous proxy can help improve your chances of connecting anonymously, as proxy servers may or may not inform the destination of who is connecting. By chaining multiple proxies together, you can improve the chance that your communication is anonymous. Note that it will not (and can not) be completely anonymous.

Origins of the janus proxy server

The janus proxy server is a modification of an existing GPL project written in C# designed to allow chaining of proxy servers. It had code to authenticate against NTLM proxy servers, but this code wasn't working. I modified the program to use the LM authentication method, and added unit tests to ensure the messages sent for both NT and LM authentication were binary identical to the authentication messages sent by the python NTLM proxy server authentication program.

The program was refactored so that the core server authentication code was part of a library (as opposed to being embedded in a gui), and added a console program that used this library. All future changes flowed on from this core technology.

Technology

Core proxy server

The Janus proxy server is written in C#.

While modifying the NTLM authentication, it was modified to use the C# encryption libraries where appropriate.

Functionality is in a library

As the core functionality is in a library, it can be used in many contexts. For example, there is a gui to provide hard coded tunnels through to specific servers, and a console application capable of dynamically switching between proxies.

Dynamic proxy server allocation

The dynamic proxy server allocator keeps track of all available proxies. When a proxy becomes out of date, it is automatically removed from the list of available proxies. Proxy inforation, such as what ports it can (and cannot) connect, authentication details, are also stored.

Detect invalid proxy servers

By detecting when a proxy server becomes invalid, the proxy chainer can only attempt valid proxy configurations. This can include limiting servers to only connect through certain ports. At the moment there are no brains behind choosing which proxy servers to use (and it doesn't detect when a proxy server forbids connecting to a certain port).

Load proxy servers from a file

Proxy servers are stored in an xml config file, and as proxy server changes are detected, this file is automatically updated with the new configurations.

Multiple servers

Multiple servers can be running simultaneously, all reusing the one proxy list. These servers can either be tunnels to specific external servers, or open ended tunnels, ending in an http proxy (for use by proxy aware programs, such as web browsers). The configuration in these servers is stored in an xml configuration file.

Future improvements

Detect who is forbidding

When we receive a forbidden message from a proxy server, we need to detect if the forbidden message arose from the intermediate proxy or the destination server. Without this we cannot reliably detect invalid proxy servers.

Authenticate arbitrary http messages

By authenticating http messages directly, only a single proxy need be used. This also allows the proxy server to request pages itself. It will also allow invalidating final http proxy servers (at the moment we can only invalidate the end proxy if we fail to connect to it).

Automatic download of proxy server list

As the server can now authenticate messages directly, it is capable of requesting proxy server lists from the internet. Implementing this will allow the proxy server to be maintained automatically (as currently the proxy servers need to be updated every couple of days by hand).

Website specific customisations

As the server is now capable of scanning incoming http packets, it should read these packets, and perform actions specific to the destination address and port. This allows a single proxy server to be used, instead of switching within the client application.

Web server configuration

Implement a simple web server to perform the customisations. This is FAR better then implementing a gui to do the same thing.

Get it working on mono

Get it working on mono. This will either be trivial or extremely difficult, depending on whether mono implements the required encryption libraries.

News

Oops...

End of 2004

Following an unfortunate rsync backup mixup, all source (and binaries) to this project was lost. Oops.

More progress

22 September 2004

The gui now allows different local ports from the remote port.
Proxies and servers can be added through the console program.
Proxy and server configuration is no longer hard coded.
Console application can setup tunnels and web proxies.
Automatic detection of bad proxies (only partly working)
Workaround for broken eTrust proxy server (detects extra character at the end of connect proxy responses).

Initial modifications to Janus proxy server

16 August 2004

Initial description of the modifications made to the janus proxy server, including the addition of a console program and fixed NTLM authentication.